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(54) Title: DIRECTORYLESS PUBLIC KEY CRYPTOGRAPHIC SYSTEM AND METHOD 



UserB 

Knows: ID A ,#,M(,x) 
Calculates: 1) a(,-a or xa) 



User B to send message to User A 

s^ 



User A 



2) s=t+f mod M, 
where t is random but (^) = b (the cryptovariable) = +1 or -1 

3) s' = f- f mod M, if P,Q congruent to 3 mod 4 
or, s* = t* + ^ mod M, if P,Q not congruent to 3 mod 4 



Knows: r,M(,x) 
Receives: s,s' 
Computes: b = (^) 



or 



o 

IT) 

(57) Abstract: A method of operating an identity based directoryless key-code cryptographic communication system having two 
users A and B and a universal authority U, involving the generation of a public modulus M, being the product of two primes P and 

Q Q, and the operation of a publicly available secure one way hash function, #. User A presents his identity to U who uses #, M, P and 
Q to generate a decryption key, r, which is only made available to A. User B, who wishes to transmit a message to A, can encrypt 

^ data by using the #, M and A's identity. User A can recover the data by using r. 



WO 02/51066 



PCT/GB01/05539 



Directorvless Public Key Cryptographic System and Method 

The present invention relates to asymmetric key-code cryptographic communications 
systems and methods and in particular to identity based systems wherein the user's** 
identity, for example his email address, is used to work out an encryption function. 

Many applications, such as electronic banking and email systems, require the transfer 
of information between microprocessors over communications channels. In such 
applications it is preferable to encrypt information passing over the communications 
channel to prevent unauthorised disclosure of the information. 

Cryptographic functions maybe implemented in a microprocessor controlled 
communications system by the use of either symmetrical or asymmetrical algorithms. 

In an asymmetrical algorithm system a user makes universally available a single 
<c public" key to anyone wishing to send the user a message. The user retains a 
decryption key, the so-called "private" key, which is related in some way to the public 
key. A well-known asymmetrical algorithm based communications system is the RS A 
algorithm ( US-A 4,405,829). 

In public/private key encryption systems it is necessary to know the public key of the 
recipient of the message. In an online system, for example a telephone system, 
recipients can send their public key as and when it is required to enable someone to 
send them encrypted messages. However, in an offline system, for example an email 
system, the need to know the public key necessitates the holding of directories of 
public keys. 

In an identity based system (an asymmetrical system) it is possible to avoid the need 
for a separate public key directory by making a user's public key a function of his 
identity, for example his email address. 

The possibility of an identity based system was first proposed in a paper by A. Shamir 
(Identity-based cryptosystems and signature schemes, Advances in Cryptology - 
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CRYPTO '84, Lecture Notes in Computer Science, vol. 196, Berlin: Springer Verlag, 
pp47-53, 1985). The paper discussed a cryptographic scheme which would enable a 
pair of users to communicate securely and also verify each other's signatures without 
exchanging public keys, without keeping key directories and without using the 
services of a third party. The scheme assumed the existence of a key generation centre 
who would generate a user's decryption key from any combination of the user's name, 
address, telephone number etc. provided it uniquely identified the user in a way that 
could not be denied. Shamir acknowledged, however, that his identity based scheme 
could not be implemented using the RSA scheme. Either it was computationally 
impossible for the key generation centre to calculate the private key or users could 
determine supposedly hidden properties of the scheme from their own public and 
private keys. 

An identity based non-interactive public key distribution system was also proposed by 
Maurer and Yacobi (U. Maurer and Y. Yacobi, Non-Interactive Public Key 
Cryptography Advances in Cryptology - Proceedings of Eurocrypt '91). The system 
proposed, however, required considerable computational effort on the part of the 
trusted key generation authority. 

A further key distribution system based on identification information is described by 
Okamoto (E. Okamoto, Key Distribution Systems Based on Identification Information, 
Advances in Cryptology - Proceedings of Crypto '87). Okamoto proposed two types 
of system, the first for decentralised networks (where users communicate directly with 
one another) and the second for centralised networks (which require a network centre 
to function). This system was not truly directoryless, however, since the user's identity 
was used only as part of the key generation process and so a public directory was still 
needed for offline communication between users. 

It is the object of the present invention to provide a workable directoryless public key 
system. 
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The object of the present invention is achieved by considering two users A and B and 
a universal authority U, involving the generation of a public modulus M; where in a 
first embodiment M is the product of two primes P and Q which are both congruent to 
3 mod 4, and a publicly available secure one-way hash function # is operated, 
characterised by the following steps: 

i) having U determine the public modulus M; 

ii) having U apply the # to A's identity to produce a value a modulo M such that the 
Jacobi symbol ^— j IS + 1 then to calculate the square root modulo M of a or 

-a and supply a resulting root, r, to A; 

iii) having B compute a and transmit a bit of cryptovariable b to A encrypted as 

s - (t + a/t) mod M , where t is a random number modulo M such that the Jacobi 

syirfbol [^fj ~ b ^ b * s coded as either +1 or -1 ; 

iv) having user B retransmit the bit of cryptovariable b to A encrypted as 

s' = - ~ j mod M , where t r is a different random number modulo M to / such 

(s + 2A 

v) having user A recover cryptovariable bit b by computing b = I — j or 

I M ) 



A second embodiment of the invention details a similar directoryless key-code 
cryptographic communication system also employing the publicly available # and 
where one or both of the primes P and Q are congruent to 1 mod 4. In this case the 
invention is characterised by the following steps: 

i) having U determine the public modulus M; 

ii) having U find and publish an integer jc such that x is not a square modulo P nor Q; 
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iii) having U apply the # to A's identity to produce a value a modulo M such that the 
Jacobi symbol ^ JL.j is +1 and then to calculate the square root modulo M of a or 

xa and supply a resulting root, r, to A; 

iv) having B compute a and transmit a bit of cryptovariable b to A encrypted as 

s = (/ + a/t) mod M , where t is a random number modulo M such that the Jacobi 

symbol - b and b is coded as either +1 or -1 ; 

v) having B retransmit the bit of cryptovariable b to A encrypted as 
mod M , where V is a different random number modulo M to t such 



that 



it)={-h) =b ' 



vi) having A recover cryptovariable bit b by computing b = { ^^^ j or Z> = 



A third embodiment of the invention describes how the system can be worked without 
the need for the re-transmission of data described in previous embodiments. This uses 
M, the product of any two non- even primes, and also uses the # function and is 
characterised by the following steps: 

i) having U determine the public Modulus M; 

ii) having U apply the # to A's identity to produce a value a Modulo M such that 
the Jacobi symbol ^ JL_j is +1 and then to calculate the square root modulo M 

of a, -a or xa where x, which is an additional publicly available system 
parameter, is an integer which is neither square modulo P nor Q, and to supply 
a resulting root, r, to A; 

iii) having U publish whether A has received a root of +a,-a or xa; 

iv) having B compute a and:- 
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0) 



(II) 



if A has received a root of +a: transmit a bit of cryptovariable b to A 
encrypted as s = (/ + a/0 mod Af , where t is a random number modulo 



M such that the Jacobi symbol 



l; 



& and b is coded as either +1 or • 



if A has received a root of -a: transmit a bit cryptovariable b to A 
encrypted as s r = (t - a/0 mod Af , where t is a random number modulo 



M such that the Jacobi symbol 

i; 



= b and b is coded as either +1 or • 



(in) if A has received a root of xa; transmit a bit cryptovariable b to A 



encrypted as s" = (f + ^)modM , where t is a random number modulo 



M such that the Jacobi symbol 



i; 



6 and 6 is coded as either +1 or - 



v) having A recover cryptovariable bit b by computing 



(HI) 



6 = 



| V + 2r 



6 = 



M 



In the above embodiments the users' identities may be based upon their email 
addresses, optionally together with the current date. 

In a further useful variant of the present invention, the responsibility for generating the 
public modulus M is split between two or more universal authorities. Such a split key 
cryptographic system is described in GB Patent Application 9715761 .4 (filed 28 th July 
1997) and in Split Knowledge Generation of RSA Parameters by C Cocks (From 
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Proceedings of 6 IMA Conference on Cryptography and Coding, Cirencester, 
December 1997, Published by Springer Verlag, Lecture Notes in Computer Science 
vol.1355). This variant has the advantage of added security since no-one authority 



holds all the information necessary to intercept and de-code messages. 

Methods of working the invention may be effected by using microprocessors. 

In a particularly advantageous arrangement of the invention, providing the opportunity 
to reduce bandwidth without compromising security of the system, only a message 
header section which precedes the main message is encrypted in accordance with a 
method as described above while the main message is encrypted by means of a 
standard technique. The message header is then used to detail which of a number of 
standard encryption techniques is to be used in the main message. This will result in 
the overall encrytion system being computationally less expensive than one encrypting 
the wlfole message. 

Examples according to the present invention will now be described with reference to 
the accompanying figures, in which: - 

Figure 1 is a functional representation of the registration process. 

Figure 2 is a functional representation of the encryption transmission 

and decryption process 

Example 1 

1} (Figure 1) To begin a universal authority U generates a universally available public 
modulus M which is the product of two primes P and Q, which are known by U only, 
where P and Q are both congruent to 3 mod 4. P and Q are chosen to be very large to 
make it computationally unfeasible to factorise M. A first user A then presents his 
identity to U and a publicly known secure one-way hash function (hereinafter referred 
to as the "hash function") is applied to A's identity to produce a value a modulo M 



such that the Jacobi symbol f JL.1 is +1. The process essentially involves the multiple 



application of the hash function in a structured way to produce a set of candidate 
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( a \ 

values for a, stopping when —J = +1 . The correct operation of the hash function on 

a recipient's identity will be evident from the hash function itself and can be 
replicated by anyone holding the universal parameters and A's identity. U can 
calculate the square root modulo M since he knows P and Q, and he presents one of 
the four possible roots, r, to A. It should be noted that it is essential that only one of 
the roots r is ever released to ensure that the integrity of the system is not 
compromised. This root r will later enable A to decrypt any encrypted messages he 
receives. One way for U to determine this root is to calculate 

M+5-(P+g) 

r = a 8 modM 



Such an r will exist as 



'a 



— | (see footnote ), and so either a is a 

v6> 



square modulo both P and Q, and hence is a square modulo M, or else -a is a square 
module P, Q and hence M. The latter case arises because by construction P and Q are 



both congruent to 3 mod 4 and so [ — | = | — | = -1 . Thus either a or -a will be 
square modulo P and Q. 

II) (Figure 2) A second user B who wishes to send encrypted data to user A first must 
know the hash function, the public modulus M and the identity of A. B then computes 
a and encrypts a bit of data b to A as s = (t + a/t) mod M , where t is a random 

number modulo M such that - ^ 

transmits s to user A. If user B does not know if A has a root of +a or -a then he will 
need to replicate the above transmission of the encrypted bit b by choosing a different 



= b and b is coded as either +1 or -1 . User B then 



( x \ (A 

1 : Note: the Jacobi symbol I —J is the product of the two square modulo symbols I — I and 



/ 



(where M=PQ). Thus it is either +1 if either X is a square modulo both P and Q or is a non 



square modulo both P and Q. A useful feature of the Jacobi symbol is that it can be calculated without 
knowledge of the factorisation of M (see, for example, H Cohen ^4 Course in Computational Algebraic 
Number Theory Springer Verlag graduate texts in mathematics 138, 1993). 
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random number modulo M, /' , where — = — — = b and then transmitting 



( A 



mod M in an identical fashion to A. It should be noted that user B cannot 



use the same value of t to transmit s' - - y j mod M since it would be possible for 

someone to decrypt an intercepted message by calculating s + s f = 2t and therefore b. 
When used practically, a message sent by the user B will comprise a message header 
followed by the subject of the message. The header will be encrypted using the above 
technique and will contain instructions as to how to decode the subject of the message 
which will be encrypted using a standard encryption technique. The main issue 
regarding practicality is the bandwidth requirement, as each bit of the message header 
cryptovariable requires a number of size up to M to be sent. For a 120 bit 
cryptovariable and using a 1024 bit modulus M, B will need to send 15 Kbytes of 
keying material. If B does not know whether A has received the square root of a or of 
-a then he will have to double this. Nevertheless for offline email use this may be an 
acceptable overhead. 

ED A then needs to recover the bit 6. Since s + 2r = t(\ + rft)* (1 + rjt) mod M it 

(s + 2r\ ft} 

follows that the Jacobi symbol — = — =6 (see footftote 2 ). As A knows the 

\ M J \M) 

f s + 2r} 

value of r he can calculate the Jacobi symbol 1^1 and hence recover b. If A 



r ( 1+ ^)*( 1+ ^) = t + ^T +2r butrisarootofa > so r 2 =< 



= * + y + 2r = s+2r since s-(t + a/t) 



f s+2A f t 
\ M J ~U 

Mm) 



M M 



and since the Jacobi Symbol is either +1 or -1, 



s + 2 r 
M 

knowledge of /. 



I.e. User A can recover the value of | -77 

M J 



and therefore the bit b without 
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holds the root of -a as opposed to +a then A will need to calculate 




in 



order to recover b. 
Example 2 

The universal authority U generates a universally available public modulus M which 
is again the product of two primes P and Q, which are known by U only. However, P 
and Q are not chosen to be both congruent to 3 mod 4. In this case either one of P or Q 
will be chosen to be congruent to 3 mod 4 and the other congruent to 1 mod 4 or both 
P and Q will be chosen to be congruent to 1 mod 4. The example described above will 
be valid with the following modificattons:- 

1) The universal authority U will need to find an integer x such that x is not a 



square modulo P and Q. Integer x will need to be published along with M 
and the hash function. 



2) Using the secure one-way hash function as before U then calculates a value 
a modulo M such that the Jacobi symbol ( .O is +1 . User A will receive a 



square root of either a or xa and such a root can be calculated by a standard 
technique as described in Cohen. This step corresponds to receiving a 
square root of a or -a in the case when P and Q are congruent to 3 mod 4. 

3) Now when B sends data to A, for each bit b that he wishes to send, he 
chooses values t and t' for which the Jacobi symbols (t/M) and (t'/M) are 
+1 or -1 depending on the bit b to be sent. He then sends 

s = (t + ajt) mod M to A and also s' = [f + xa/t')modMto A. 

4) A then recovers the bit b as in example 1, i.e. if he has the square root of a 

( s + 2r\ 

then he recovers b by working out — r~— and if he has the square root of 



Example 3 

The universal authority U generates a universally available public modulus M which 
is again the product of two non- even primes P and Q, which are known by U only. 





xa then he recovers b by working out 
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The universal authority U will need to find an integer x such that x is not a square 
modulo P and Q. Integer x will need to be published along with M and the hash 
function. 

Using the secure one-way hash function as before U then calculates a value a modulo 
M such that the Jacobi symbol ^ JL_j is +1. User A will receive a square root of either 

a or xa and such a root can be calculated by a standard technique as described in 
Cohen. 

U publishes whether A has received a root of +a,-a or xa; 
B computes a and:- 

(T) if A has received a root of +a: transmits a bit cryptovariable b to A 

encrypted as s = (t + a/t) mod M , where t is a random number modulo 

M such that the Jacobi symbol = b and b is coded as either +1 or - 

i; 

(II) if A has received a root of -a: transmits a bit cryptovariable b to A 

encrypted as s* = (t - a/t) modM , where t is a random number modulo M 

f 



such that the Jacobi symbol -77 I = b and b is coded as either +1 or -1 ; 



(m) if A has received a root of xa: transmits a bit cryptovariable b to A 

encrypted as s" = (/ + ^)modM , where t is a random number modulo M 

such that the Jacobi symbol j = * m & b ls c °ded as either +1 or -1 ; 

A then recovers the bit b as in example 1, i.e. if he has the square root of a then he 

(s + 2A 

recovers b by working out 1 — J and if he has the square root of -a then he 
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+ 2r 




M 


(s" + 2r 




M 



recovers b by working out — j^— ) and if he has the square root of xa then he 
recovers b by working out 

Conveniently, the identity of each user will be his publicly known email address and 
for additional encryption security the current date can be added. As will be apparent 
to those in the art, further security can be provided to the system by splitting the 
responsibility for generation of the public modulus among several universal 
authorities. 



In a particularly advantageous arrangement, aimed to reduce the overall bandwidth of 
messages without compromising their security, the secure encryption of the present 
invention may be applied only to message headers accompanying messages encrypted 
in accordance with a known standard encryption. The key to decrypting the message 
would then be provided within the message headers. 
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Claims 



1. A method of operating an identity based directoryless key-code cryptographic 
communication system comprising two users A and B and a universal authority U, 
involving the generation of a public modulus M, being the product of two primes P 
and Q which are both congruent to 3 mod 4, and the operation of a publicly 
available secure one-way hash function #, characterised by the following steps: 

i) having U determine the public modulus M; 

ii) having U apply the # A's identity to produce a value a modulo M such that the 

Jacobi symbol f is +1 and then to calculate the square root modulo M of a or 

[m J 

-a and supply a resulting root, r, to A; 

iii) having B compute a and transmit a bit of cryptovariable b to A encrypted as 

s = (t + a/t) mod M , where t is a random number modulo M such that the Jacobi 

symbol = * anc * b is coded as either +1 or -1 ; 

iv) having B retransmit the bit of cryptovariable b to A encrypted as 
mod M , where /' is a different random number modulo M to t such 



that 



v) having user A recover cryptovariable bit b by computing b = 



r s + 2A 
I M ) 



or 



6 = 



V + 2r* 
M 



2. A method of operating an identity based directoryless key-code cryptographic 
communication system comprising two users A and B and a universal authority U, 
involving the generation of a public modulus M, being the product of two primes P 
and Q of which one or both are congruent to 1 mod 4, and the operation of a 
publicly available secure one-way hash function #, characterised by the following 
steps: 
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i) having U determine the public modulus M; 

ii) having U find and publish an integer x such that x is not a square modulo P nor Q; 

iii) having U apply the # to A's identity to produce a value a modulo M such that 

the Jacobi symbol f JL.1 is +1 and then to calculate the square root modulo M of a 

KM J 

or xa and supply a resulting root, r, to A; 

iv) having B compute a and transmit a bit of cryptovariable b to A encrypted as 
s = (t + a/t) mod M , where t is a random number modulo M such that the Jacobi 

symbol j = b and b is coded as either +1 or -1 ; 

v) having B retransmit the bit of cryptovariable b to A encrypted as 

( xa\ 

s' = It' + — mod M , where t' is a different random number modulo M to t such 

s+2A 



that 



vi) having A recover cryptovariable bit b by computing b = 



M 



or 



6 = 



M 



3. A method of operating an identity based directoryless key-code cryptographic 
communication system comprising two users A and B and a universal authority U, 
involving the generation of a public modulus M, being the product of any two non- 
even primes P and Q, and the operation of a publicly available secure one-way hash 
function #, characterised by the following steps: 

i) having U determine the public Modulus M; 

ii) having U apply the # to A's identity to produce a value a Modulo M such that 

the Jacobi symbol ( jO is +1 and then to calculate the square root modulo M 

KM) 

of a 9 -a or xa where x, which is an additional publicly available system 
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parameter, is an integer which is neither square modulo P nor Q, and to supply 
a resulting root, r, to A; 

iii) having U publish whether A has received a root of +a,-a or xa; 

iv) having B compute a and:- 

(I) if A has received a root of +a: transmit a bit of cryptovariable b to A 
encrypted as s = {t + a/t) mod M , where t is a random number modulo 

M such that the Jacobi symbol * and b is coded as either +1 or - 

i; 

(II) if A has received a root of -a: transmit a bit cryptovariable b to A 
encrypted as s* = (t - a/t) mod M , where t is a random number modulo 

* M such that the Jacobi symbol {^J^j = * m & b is coded as either + 1 or - 

i; 

(m) if A has received a root of xa: transmit a bit cryptovariable & to A 

encrypted as s" = (t + mod M , where t is a random number modulo 



M such that the Jacobi symbol 

i; 

vi) having A recover cryptovariable bit b by computing 



b and b is coded as either +1 or ■ 




(in) b = 
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4. A method of operating an identity based directoryless key-code cryptographic 
communication system as claimed in any one of the claims 1 to 3 characterised in 
that user A is identified by his email address. 

5. A method of operating an identity based directoryless key-code cryptographic 
communication system as claimed in any one of the claims 1 to 4 characterised in 
that A's identity includes the date to increase the security of the system. 

6. A method of operating an identity based directoryless key-code cryptographic 
communication system as claimed in any of the preceding claims in which the 
generation of the public modulus is split between a plurality of universal 
authorities acting in co-operation. 

7. A method of operating an identity based directoryless key-code cryptographic 
communication system, characterised in that a message header section is encrypted 
according to the method claimed in any one preceding claim and the transmission 
message is encrypted using a standard encryption technique, the decryption key to 
the transmission message being in the header section. 

8. An identity based directoryless key-code cryptographic system comprising a 
communications channel accessible by an encryption microprocessor and a 
decryption microprocessor operably coupled to exchange data and operably 
connectable to the communications channel characterised in that the 
microprocessors are programmed to co-operate according to the method claimed in 
any preceding claim. 
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Fig.1. 

Universal Authority U y 



Knows: #,P,Q(,x) 
Receives: I Da 
Calculates: M,a,r 
Publishes: #,M(,x) 



User A 

Knows: #,M,ID A (,x) 




r 



Receives: r 



Note: "x" is an integer which is only relevant for cases 
where P and Q are not congruent to 3 mod 4 
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